How to Protect WordPress Blog From Brute Force Attacks

How to Protect WordPress Blog From Brute Force Attacks

There are some crazy people out there who will try to hack your blog. One of the most common types of hack attacks is Brute Force Attack, where a hacker runs a script and attempt to login your account by using different combinations of username and password.

We recently suffered a brute force login attack on RoadToBlogging.Com. Whoever did this was trying to log-in to our blog using different usernames like “admin”, “administrator”, “roadtoblogging”. Because of the high numbers of HTTP request to the server, RTB went down.

So whenever I or visitors were trying to access the blog, this error was being shown – “Internal Server Error“. Our other sites on this server were also showing the same error.

However, I was able to stop the attack by contacting with hosting provider. But the In this post, I will be sharing how to protect your WordPress blog from brute force attacks.

Before moving to the tips, I would like to tell you what actually a Brute Force Attack is.

What is Brute Force Attack?

Brute Force Attacks are attacks where hackers rapidly wheel through some directory names, usernames, passwords and IP addresses to get access to private data or Files.

AutoBots or softwares are used to generate a large number of continuous guesses to get the desired data.

This attack in WordPress blogs mainly targets the wp-login.php file to get access to blogs. It tries different usernames and passwords over and over again until it gets in.

Now let’s see how to prevent this attack on your WordPress blog.

1. Avoid Common Usernames and Use a Strong Password

At first I’d recommend you to change your default WordPress username. Don’t use usernames like “admin”, “administrator” or your site name. These usernames are easy to guess. When RoadtoBlogging was attacked, hacker used following usernames.

So avoid these “easy to guess” types of usernames. Set a truly random username.

At the same time, you have to make sure that you are using a strong password. A strong password contains 8+ characters, no dictionary words, uppercase & lowercase letters, numbers, symbols (e.g. !@#$) etc.

You can also use an online strong password generator. One of the popular tools is – Passwords Generator.

2. Use JetPack Brute Force Attack Protection

JetPack is a powerful WordPress plugin by Automattic with a lot of feature. Recently Jetpack has introduced a new feature called ‘Protect’. It helps you to secure your WordPress sites from malicious and unwanted login attempts. That means your blog will be protected from brute force attack.

All you need to do is, install the plugin from here. Once you’ve activated the plugin, ‘Protect’ option will be enabled automatically. However, you can check whether the Protect option is enabled or not by going to WordPress Dashboard > Jetpack > Setting. You can also whitelist an IP address prevents it from being blocked by Jetpack. Just click on ‘Configure’ from ‘Protect’ option.

Jetpack Whitelist Management

3. Use CloudFlare CDN

CloudFlare is a free CDN service. You can use it to speed up your site and to make it more secure.

CloudFlare handles all Brute Force Attacks on WordPress blog. I am using CloudFlare on RoadToBlogging. Unfortunately, “Basic Protection Level” in CloudFlare settings was set to ‘Low’ at the time of brute force attack.

Normally, ‘Medium’ and ‘High’ options are good. But if you’re under attack ever just select the option “I am under attack!”. It will work within a short time.

If you are using CloudFlare on your blog, configure the security settings now. If you are not, read How to Setup Free ClouldFlare CDN for WordPress.

4. Use ‘Limit Login Attempts’ WordPress Plugin

If you are using Jetpack plugin, you don’t need to install this plugin.

This plugin hasn’t been updated in over 2 years, but it still works with latest WordPress version. This plugin limits the number of login attempts possible both through normal login as well as using auth cookies.

Here is plugin option page.

This plugin will limit the number of retry attempts when logging in (for each IP). It stops users from further attempt to login after specified number of failed logins.

So if your WordPress blog is attacked you can block attacking IPs from attempting to login over and over again.

5. Hide WordPress Login Page

This is a little bit risky. Only do this if you know what you are doing.

You can hide your wp-login.php file. So that the attackers won’t be able to find that page to attack.

To do that, you will need a Plugin named Secure Hidden Login. This plugin will hide the login page and you can login to your site using a key combination or special button.

You can totally hide the login page and other options. You can also select from a list of symbols to show in your blog.

When you click on that symbol, you will see login options. Otherwise you won’t. I think it’s safe to select Hidden and set a Key Combination to login to your blog.

Check the box “Block wp-login.php” to hide the wp-login.php page. Make sure your .htaccess file has the correct permissions.

And don’t forget to disable this option before uninstalling the plugin.

These are some steps you can take to secure your WordPress blog from attacks. However, if your WordPress blog is under Brute Force Attack here are some things you can do –

  • Contact your Hosting Provider immediately. They can help you out for sure.
  • If you use CloudFlare, change the Protection Level to “I am under attack!”

If you use HostGator as your Hosting provider you should check this article. This can be helpful.

Hope this post helped you to protect your WordPress blog from brute force attacks. If you found this useful don’t forget to share the post on Facebook, Twitter and Google Plus.

7 responses to “How to Protect WordPress Blog From Brute Force Attacks”

  1. Atinder Avatar

    Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fightable, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

    1. Istiak Rayhan Avatar
      Istiak Rayhan

      Agree with you. Thanks for sharing your valuable thoughts.

  2. Sachin Avatar

    Hi Istiak
    How to attach account with with the help of jetpack because its required after installing jetpack.

    1. Istiak Rayhan Avatar
      Istiak Rayhan

      Just create an account on

  3. Tirtha Ojha Avatar

    Few days back I was also suffering from the same issue, when I saw my stats I found hundreds of suspicious login attempts from the different locations. Thanks to Login Lockout plugin for protecting my site from hackers.
    Anyway, thanks Istiak for this great post!

    1. Istiak Rayhan Avatar
      Istiak Rayhan

      I am using Jetpack protection. It works great. If you are not using Jetpack, I’d suggest you to install Jetpack. It has many features. I bet you will love it.

      1. Tirtha Ojha Avatar

        You’re right bro, Jetpack Protection is also working great.

Leave a Reply

Your email address will not be published. Required fields are marked *